If you don't store cleartext passwords in your backend, how will an intruder get them??
On Tue, Oct 11, 2022 at 3:45 PM Serveria Support support@serveria.com wrote:
Yes, I realize that. But I can't think of a reason this password is necessary in the logs. It's kind of a backdoor and has to be removed from code. Why make intruder's life easier?
On 2022-10-11 13:39, Arjen de Korte wrote:
Citeren Serveria Support support@serveria.com:
Yes, there is a tiny problem letting the attacker change this value back to yes and instantly get access to users' passwords in plain text. Apart from that - no problems at all. :)
If an attacker is able to modify your Dovecot configuration, you have bigger problems than leaking your users' password. Much bigger...
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)